Logging DynamoDB Operations by Using AWS CloudTrail

DynamoDB is integrated with CloudTrail, a service that captures low-level API requests
made by or on behalf of DynamoDB
in your AWS account and delivers the log files to an Amazon S3 bucket that you specify.
CloudTrail captures calls made from the
DynamoDB console or from the DynamoDB low-level API. Using the information collected
by CloudTrail, you can
determine what request was made to DynamoDB, the source IP address from which the
request was made, who made
the request, when it was made, and so on. CloudTrail logging is automatically enabled
in your AWS account. To learn more about CloudTrail, see
the AWS CloudTrail User Guide.

DynamoDB Information in CloudTrail

Any low-level API calls made to DynamoDB actions are tracked in log files. DynamoDB
records are written together with other AWS service records in a log file. CloudTrail
determines when to create and
write to a new file based on a time period and file size.

Every log entry contains information about who generated the request. The user identity
information in the log
helps you determine whether the request was made with root or IAM user credentials,
with temporary security
credentials for a role or federated user, or by another AWS service. For more information,
see the
userIdentity field in the CloudTrail Event
Reference.

You can store your log files in your bucket for as long as you want, but you can also
define Amazon S3 lifecycle
rules to archive or delete log files automatically. By default, your log files are
encrypted by using Amazon S3
server-side encryption (SSE).

You can choose to have CloudTrail publish Amazon SNS notifications when new log files
are delivered if you want to take
quick action upon log file delivery. For more information, see Configuring Amazon SNS Notifications.

Understanding DynamoDB Log File Entries

CloudTrail log files contain one or more log entries where each entry is made up of
multiple
JSON-formatted events. A log entry represents a single request from any source and
includes
information about the requested action, any parameters, the date and time of the action,
and
so on. The log entries are not guaranteed to be in any particular order. That is,
they are not
an ordered stack trace of the low-level DynamoDB API calls.